[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Jim Manico jim.manico at owasp.org
Tue Aug 27 07:43:15 UTC 2013

Agreed and well said, Eoin.

Jim Manico
(808) 652-3805

On Aug 27, 2013, at 3:24 PM, Eoin Keary <eoin.keary at owasp.org> wrote:

> Hello All,
> My opinion, as a previous lead of the testing guide is that the decision to keep risk rating in or remove it is the team leaders. Everyone has the right to voice their opinion without being flamed. Please respect that the guide is a collaboration but the team lead is the leader if the project.
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
> On 27 Aug 2013, at 05:00, Christian Heinrich <christian.heinrich at cmlh.id.au> wrote:
>> Jim,
>> On Tue, Aug 27, 2013 at 12:20 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>> We don't need to abort it. Why not just make it better and/or list
>>> some of the problems with it? I'm fairly loud and aggressive regarding
>>> pointing out vendor neutrality issues, and I do not see this as a
>>> violation as it stands today.
>> Unless evidence is produced which demonstrates that the proposed
>> changes to the OWASP Risk Rating Methodology are innovative over CVSS
>> and ISO 31000 then OWASP will cause nothing more than confusion in the
>> market and further loss position as the leader of the webappsec field
>> to ISECOM and others.
>> http://lists.owasp.org/pipermail/owasp-board/2013-March/011679.html is
>> dated less than six months ago which is in the last hour if yesterday
>> was when I proposed to update the OWASP Risk Rating in 2010.
>> https://www.owasp.org/index.php/Issues_Concerning_The_OWASP_Top_Ten_2013
>> is more recent (June), or last 15 minutes :) and proves that the OWASP
>> Risk Rating Methodology was manipulated for Aspect Security for
>> commercial gain.
>> On Tue, Aug 27, 2013 at 12:20 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>> Perhaps the testing guide can list several of these rating systems and
>>> let the tester decide what to choose?
>> We have https://www.owasp.org/index.php/Threat_Risk_Modeling already
>> and co-incidentally this doesn't list the OWASP Risk Rating
>> Methodology.
>> On Tue, Aug 27, 2013 at 12:20 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>> Christian, I'm aiming for a softer approach because at the end of the
>>> day we are all just volunteers, even those that may have been abusive
>>> in the past.
>> I have offered a resolution to Marco (and Josh) already that if there
>> is no evidence to support that an update to the OWASP Risk Rating
>> Methodology would provide what is already available within CVSS or ISO
>> 31000 today then I am more than willing to facilitate an introduction
>> to the CVSS-SIG (unfortunately I can't assist with ISO directly but I
>> could approach Standards Australia for a contact of a standards body
>> within their respective country).
>> --
>> Regards,
>> Christian Heinrich
>> http://cmlh.id.au/contact
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing

More information about the Owasp-testing mailing list